When working with Python to make HTTP requests or connecting to APIs over HTTPS, by default, SSL/TLS verification is enabled. However, there may be circumstances where you need to disable SSL verification. While it’s not recommended to disable SSL verification in a production environment due to security risks, it might be inevitable in a development or testing scenario where self-signed certificates are used, or the certificate authority is not recognized.
Table of Contents
Disabling SSL Verification in http.client
The http.client
library is a low-level HTTP interface in Python. To disable SSL verification, you would typically override the context using the ssl
module.
import http.client import ssl conn = http.client.HTTPSConnection( "example.com", context=ssl._create_unverified_context() ) conn.request("GET", "/") response = conn.getresponse() print(response.read().decode())
Disabling SSL Verification in Requests
The requests
library is a popular, higher-level HTTP library. Disabling SSL verification within requests
is straightforward using the verify
parameter.
import requests response = requests.get("https://example.com", verify=False) print(response.text)
Note: You may see InsecureRequestWarning when SSL verification is disabled. To suppress these warnings, you can adjust the logging level for urllib3
.
import urllib3 urllib3.disable_warnings()
Alternatively, you can set REQUESTS_CA_BUNDLE
environment variable to an empty string or to a non-existent file will effectively disable SSL verification.
import os import requests # Disable SSL verification os.environ['REQUESTS_CA_BUNDLE'] = '' # Now, make your requests response = requests.get('https://example.com') # Your code to handle the response...
Disabling SSL Verification in urllib3
For direct use of urllib3
, you need to create a custom SSLContext
and pass it when creating a connection pool.
import urllib3 http = urllib3.PoolManager( cert_reqs='CERT_NONE', assert_hostname=False ) response = http.request('GET', 'https://example.com') print(response.data.decode('utf-8'))
Disabling SSL Verification in aiohttp
aiohttp
operates asynchronously and allows for SSL verification to be disabled by passing ssl=False
on the client session.
import aiohttp import asyncio async def main(): async with aiohttp.ClientSession() as session: async with session.get("https://example.com", ssl=False) as response: print(await response.text()) loop = asyncio.get_event_loop() loop.run_until_complete(main())
Conclusive Summary
In this tutorial, we explored different methods to disable SSL verification across various Python packages, including http.client
, requests
, urllib3
, and aiohttp
. While disabling SSL verification can be helpful for local testing or dealing with self-signed certificates, it should not be used in a production environment as it makes the application vulnerable to man-in-the-middle attacks. Always ensure to handle SSL certificates appropriately and resolve any issues related to SSL verification in a secure manner for live applications.
References